VMware Cloud Community
jvm2016
Hot Shot
Hot Shot

digital_sign_powershell_script

Hi Luc,

good afternoon

can you please check the following article.

i performed on windows 2016 system to digitally sign one powershell script .

though it worked but am i supposed to get any digital block inside the script.

https://community.spiceworks.com/how_to/153255-windows-10-signing-a-powershell-script-with-a-self-si...

12 Replies
LucD
Leadership
Leadership

You should see a block of text at the end of the signed script.
The block will start with

# SIG # Begin signature block

and end with

# SIG # End signature block


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LucD
Leadership
Leadership

Try the following snippet.
It should show you how a script looks before and after signing.

It uses a self-signed certificate to sign the script.

$code = @'

Write-Host "Hello!"

'@

$code | Set-Content -Path .\test.ps1


Get-Content -Path .\test.ps1


$sCert = @{

  Subject           = 'MyCert'

  Type              = 'CodeSigning'

  CertStoreLocation = 'Cert:\CurrentUser\My'

}

$cert = New-SelfSignedCertificate @sCert


$sSign = @{

  Certificate = $cert

  FilePath    = '.\test.ps1'

}

Set-AuthenticodeSignature @sSign


Get-Content -Path .\test.ps1


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
jvm2016
Hot Shot
Hot Shot

Hi Luc ,

I think i am not getting it correctly .

if you could suggest the  unknown error .

pastedImage_0.png

Reply
0 Kudos
LucD
Leadership
Leadership

That is to be expected with a self-signed certificate.

Behind the covers, it would produce the error "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider", which the cmdlet seems to translate to this UnknownError.
In short, the self-signed certificate does not chain to a trusted root certificate.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
jvm2016
Hot Shot
Hot Shot

i am looking for something that would create block in actual powershell script .is it something possible by any ways .

Reply
0 Kudos
LucD
Leadership
Leadership

I'm afraid not, it would be like

tree.jpg

You're changing the content of a file, that you want to protect against content change :smileygrin:

You could eventually call an external script that does the signing.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

jvm2016
Hot Shot
Hot Shot

i mean to say digitally sign by trusted CA .so that the content is ecrypted and whenever someone try to alter the script it compares the content

with encrypted digital signature .

i am not sure what advantages im getting using self signed script if i need to run on remote systems that has execution policy

as remote signed .

Reply
0 Kudos
LucD
Leadership
Leadership

You can/should, of course, use a trusted CA, just make sure it has the CodeSigning attribute.

The previous code snippet was just an example to try out signing scripts (since you mentioned you didn't get the signature block in the script).

Btw, there is a difference between signing and encrypting, but you probably know that.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
jvm2016
Hot Shot
Hot Shot

my understanding so far is if we digitally sign any script with trusted CA it create a start and end block in the script with encrypted content of the script in signaure block .

so one part of signature is actually the encrypyed content of the script .is this not true??

Reply
0 Kudos
LucD
Leadership
Leadership

Not in my book, signing and encrypting a script are two different things.
And require different certificate attributes afaik.

See Encryption and Signing for some background info.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
jvm2016
Hot Shot
Hot Shot

Thanks Luc ,

I m checking this .

Reply
0 Kudos